K
Q

How to config Kubernetes Ingress Nginx anontations whitelist only apply to http

7/9/2018

I have config my ingress support SSL:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "service"
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80

In my config above, only IP in whitelist can access the domain for both HTTP & HTTPS. But I would like to config all IP addresses can access https://example.com (HTTPS) and some IP addresses in whitelist can access without SSL - http://example.com.

-- WorkWe
kubernetes
kubernetes-ingress
kubernetes-security
nginx
ssl

Similar Questions

List of Kubernetes status conditions for jobs?
Ansible AWX RabbitMQ container in Kubernetes Failed to get nodes from k8s with nxdomain
Can I use the Ambassador to authenticate service-to-service communication inside a Kubernetes cluster?
Kubernetes : use node labels in yaml deployment
Kubernetes network policy doesn't work as expected

3 Answers

7/10/2018

I believe it is not possible by using only nginx-ingress at the moment.
When you set up the HTTPS scheme for Ingress, it starts to listen on port 443 and continues to listen on port 80.

However, you are able to do it by using on-premise Nginx instance as an external Load Balancer.
Follow this link for the detailed instructions: "Kubernetes TCP load balancer service on premise (non-cloud)"

As another option, you may want to try Istio Ingress

-- VAS
Source: StackOverflow
7/9/2018

The whitelist-source-range annotation will always affect the entire Ingress resource. However, you might (untested!) try using two separate Ingress resources: one for HTTP access (with a source whitelist and without a tls configuration) and one for HTTPS (with plain HTTP disabled using the kubernetes.io/ingress.allow-http annotation):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: service-https
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: service-http
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx"
spec:
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
-- helmbert
Source: StackOverflow
7/11/2018

I have resolved my issue by add more config to nginx location (listen both http and https) by use nginx.ingress.kubernetes.io/configuration-snippet annotation.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "service"
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    # The configs to allow all IPs access via https and allow some IPs in
    # security whitelist access via http
    nginx.ingress.kubernetes.io/configuration-snippet: |

      if ($https) {
        set $allow_ip true;
      }

      if ($remote_addr ~ (x.x.x.x|y.y.y.y) {
        set $allow_ip true;
      }

      if ($allow_ip != true) {
        return 403;
      }
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
-- WorkWe
Source: StackOverflow